On Thu, Aug 16, 2007 at 09:47:06AM -0700, Jo Rhett wrote: > (dropping "__TVT_MIME_" for ease of typing)
You just don't like typing my initials... ;)
> ATT is a meta of ATT_AP *or* ATT_AOPDF.
Right.
> But the PDF_FINGER01 requires ATT_TP as well as ATT. This means that
> really it will only work if ATT_TP matches. If ATT_A0PDF matches then
> it won't match.
Right, of course: that's the fingerprint. It needs a text/plain
part as well as a PDF part (which could be either application/pdf or
application/octet-stream w/ a "pdf" filename). If it only has one or
the other, we don't want to target it.
Scoring for just a PDF attachment is going to seriously FP.
Now arguably, the messages could now include no text/plain but a text/html
and a PDF, and the rule won't match that. So perhaps just looking for
/^text\b/ would be more beneficial? Also, as previously mentioned in the
thread, your mail has a text/plain, but a non-empty text/html which makes the
empty body check non-function -- I didn't want to write a plugin just to look
for an empty text/plain, so went the easy way w/ rawbody.
But anyway, the rule is doing what I intended it to do when it was written.
The rule is still working well, according to the nightly test results:
1.537 2.2811 0.0000 1.000 0.85 0.00 TVD_PDF_FINGER01
And since I haven't had time to pay attention to the newer spams, there could
definitely be room for a ...02 which targets them. :)
--
Randomly Selected Tagline:
"When you say 'I wrote a program that crashed Windows,' people just stare
at you blankly and say 'Hey, I got those with the system, *for free*.'"
- Linus Torvalds
pgpW7xknzroak.pgp
Description: PGP signature
